Skip to content

chore(workflows): rename RELEASE_APP_* secrets to ROSEMARY_RELEASER_APP_*#34

Merged
brodkin merged 1 commit into
mainfrom
chore/rename-release-secrets-to-rosemary
May 9, 2026
Merged

chore(workflows): rename RELEASE_APP_* secrets to ROSEMARY_RELEASER_APP_*#34
brodkin merged 1 commit into
mainfrom
chore/rename-release-secrets-to-rosemary

Conversation

@brodkin

@brodkin brodkin commented May 9, 2026

Copy link
Copy Markdown
Contributor

Summary

The release-bot GitHub App is registered as Rosemary Releaser. Renaming the secret inputs across release-please.yml, both caller examples, and the README to match the Pepper PR Review pattern (PEPPER_PR_REVIEW_*) so the bot family naming stays consistent.

Rename map

Before After
RELEASE_APP_ID ROSEMARY_RELEASER_APP_ID
RELEASE_APP_PRIVATE_KEY ROSEMARY_RELEASER_APP_PRIVATE_KEY

Files touched

  • .github/workflows/release-please.ymlsecrets: declarations, env wiring, actions/create-github-app-token inputs, and inline doc comments (12 spots)
  • examples/caller-release-please.yml — commented-out App-token caller example (2 spots)
  • examples/caller-release-artifacts.yml — header comment cross-referencing the App-token path (1 spot)
  • README.md — Token-strategy table and the Release Artifacts trigger note (2 spots)

Pure rename — no behavior change. 18 insertions, 18 deletions.

Why now

DEV-225 setup: the Rosemary Releaser App is being created at the SpiceLabsHQ org with private key + org secrets named ROSEMARY_RELEASER_APP_ID / ROSEMARY_RELEASER_APP_PRIVATE_KEY. Workflow + docs need to reference those names so callers can secrets: { ROSEMARY_RELEASER_APP_ID: \${{ secrets.ROSEMARY_RELEASER_APP_ID }}, ... } and have it just work.

Test plan

  • After merge, bump v1 tag forward so consumers picking up the new caller examples reference the right secret names
  • Smoke-test in this repo by adopting release-please-self.yml as part of DEV-225 Phase 5 once the App is fully provisioned

…PP_*

The release-bot GitHub App is registered as "Rosemary Releaser". Renaming
the secret inputs across release-please.yml, both example callers, and
the README to match the Pepper PR Review pattern (PEPPER_PR_REVIEW_*) so
the bot family naming stays consistent.

No behavior change — pure rename. The reusable workflow's secret-input
names, the env var names, the actions/create-github-app-token wiring,
the caller examples, and the README docs all flip to the new names.

Refs: DEV-225
@brodkin brodkin merged commit bce3abd into main May 9, 2026
1 check failed
@brodkin brodkin deleted the chore/rename-release-secrets-to-rosemary branch May 9, 2026 02:36

@pepper-pr-review pepper-pr-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified against DEV-225 — aligned. The issue documents the Rosemary Releaser GitHub App naming convention, and this PR renames the workflow secret inputs to match (RELEASE_APP_*ROSEMARY_RELEASER_APP_*). All 18 occurrences updated consistently across the reusable workflow, caller examples, and README. Grep confirms no old names remain.

Tests: N/A (workflow configuration and documentation only).

When you're ready to merge or have questions, just drop @pepper review in a comment and I'll take another look! 🌿

— Pepper

@pepper-pr-review pepper-pr-review Bot added the pepper-approved Pepper approved this PR label May 9, 2026
brodkin added a commit that referenced this pull request May 9, 2026
…lts repo (#35)

Adds release-please self-management to SpiceLabsHQ/.github so this repo
gets versioned point releases (v0.1.0, v0.1.1, etc.) instead of the
current rolling-v1-tag manual moves.

What this adds
--------------
- .github/workflows/release-please-self.yml — caller workflow on push:main
  invoking SpiceLabsHQ/.github/.github/workflows/release-please.yml@v1 with
  the Rosemary Releaser App secrets. The App identity ensures the release
  PR is authored by rosemary-releaser[bot] AND that tag pushes from the
  release PR merge can fire downstream workflows.
- .github/workflows/release-cascade-check.yml — no-op smoke test that fires
  on tag push and emits a notice with the actor identity. Lets us confirm
  end-to-end that tag-cascade auth chain is healthy.
- release-please-config.json — release-type: simple, single package at
  repo root, bootstrap-sha pinned to bce3abd so the first release window
  starts after PR #34 (the secret-rename) instead of scanning all history.
- .release-please-manifest.json — initial state {".": "0.0.0"}.
- version.txt — initial 0.0.0 placeholder that release-please will bump
  on each release (release-type: simple convention).

Smoke-test sequence after merge
-------------------------------
1. push:main fires release-please-self.yml
2. release-please scans commits since bootstrap-sha → finds this feat:
   commit → proposes a release PR for v0.1.0
3. The release PR is authored by rosemary-releaser[bot] (proof point #1)
4. Merging the release PR creates tag v0.1.0
5. The tag push fires release-cascade-check.yml (proof point #2)
6. Cascade check's notice should show actor=rosemary-releaser[bot]

Refs: DEV-225
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pepper-approved Pepper approved this PR

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant